[syslog-ng] Help getting my rewrite to work

[Dave Vernon]

Good morning all,

I'm having difficulties getting my rewrite statement to work properly.  I've been spending more hours than I care to admit pouring through docs, examples, etc and just can't get it.  (I really thought I was on the right track from a post in the May archives)

In short, I am using syslog-ng 3.4.2 to receive my Windows event logs.  There are several common Windows events that includes a detailed description of the event EVERY TIME that I am trying to drop before writing to my syslog server, leaving just the meat.

I originally wanted to start my testing by replacing a single word  (i.e. the word "interactive" so that I could make sure the re-write rule was working before I tweaked my regex.)  However, whenever I add my rule it's not logging any event that matches at all, and I'm not sure why.  I'm doing a tail on the log file and it just doesn't write (literally) anything at all.

My examples...

source s_syslog {
        udp(ip(0.0.0.0) port(514));
};

destination d_allwindows { file("/syslog/log/windows/hosts/$HOST/$R_YEAR/$R_MONTH/$R_DAY/$HOST$YEAR$MONTH$DAY" create_dirs(yes)); };

rewrite r_rewrite_4624_2 { subst("interactive", "QuackApple", value("MSGONLY"));};
("interactive" is contained in the message, so it was an easy one to pickout for testing, and I used the string "QuackApple" as the replacement as I know it won't naturally appear, so I can search on it easily)

log { source(s_syslog); filter(f_allwindows); rewrite(r_rewrite_4624_2); destination(d_allwindows); };

With these rules in place, the log is actually dropped, not re-written.  If I change my rewrite rule to be something not found (i.e. replace "interactive" with "ZZowkr" then the events start showing up in the tail again)

Thanks!


Dave Vernon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130719/3d520628/attachment.htm